Tom Hinkel, Director of Compliance
Up until just shortly before it failed, Washington Mutual had received either average or above average CAMELS ratings from their primary federal regulator (PFR). According to the post-mortem report by the Department of the Treasury, “WaMu failed primarily because of management’s pursuit of a high-risk lending strategy that included liberal underwriting standards and inadequate risk controls.” Certainly the declining economy and real estate market contributed, as did a sudden flood of customer withdrawals as the crisis began to unfold, but it’s instructive to note that the Treasury’s report primarily faulted Bank management.
Likewise, when Indy Mac Bank failed in 2008, their PRF (OTS) gave Indy Mac Bank favorable CAMELS ratings right up to the time it failed. In their report, the Office of Inspector General stated in part that they were allowed by regulators to pursue their strategy of rapid asset growth and risky lending practices until the real estate market started to collapse, only then invalidating the fundamentals of managements’ growth strategy.
Both of these examples point to inadequate management of strategic risk as the core issue. Strategic risk is defined as that associated with the financial institution’s mission and future business plans. It primarily arises from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. It can also stem from inaccurate information or analysis that causes management to make poor strategic decisions. Therefore, strategic risk can really be defined as management risk.
The ability of management to respond to changing circumstances and to address the risks that may arise from changing business conditions, or the initiation of new activities or products, is an important factor for regulators in evaluating a financial institution’s overall risk profile and the level of supervisory attention warranted. For this reason, “the Management component is given special consideration when assigning a composite rating.”
CAMELS is the acronym for the six essential components used to rate an institution’s financial condition under the Uniform Financial Institution Rating System. The rating system was adopted by the FFIEC in 1979 (revised to add the “S” in 1996), and is based on the following components of an institution’s condition:
- (C) Capital adequacy,
- (A) Asset quality,
- (M) Management,
- (E) Earnings,
- (L) Liquidity and
- (S) Sensitivity to market risk
CAMELS ratings include a numeric score for each of the six components, and an overall numeric composite rating. The numeric ratings range from 1 (best) to 5 (worst) and generally mean:
- Sound in every respect
- Fundamentally sound
- Some degree of supervisory concern
- Unsafe and unsound practices or conditions
- Extremely unsafe and unsound practices or conditions
Disclosure of CAMELS ratings by the financial institution to the public is prohibited, in part because regulators fear that unfavorable ratings could lead to increased reputation risk, resulting in excessive withdrawals and the inability of the institution to effectively compete in their market, resulting in further exacerbation of the problem. Even so, management generally considers anything other than a “1” or “2” to be suboptimal, perhaps because it does reflect on their overall management ability.
But there is also a financial aspect to the CAMELS ratings. For most institutions in Risk Category I (generally, those institutions with less than $10 billion in assets and those with $10 billion or more in assets that do not have long-term debt issuer ratings), base FDIC deposit insurance assessment rates are based on a combination of financial ratios and CAMELS component ratings, with the largest weight applied to Capital and Management (25% each).
Additionally, the FFIEC has identified management as a critical component in ALL of the IT Examination Handbooks, for example:
- Audit – The board of directors and senior management are responsible for ensuring that the institution’s system of internal controls operates effectively.
- Business Continuity Planning – It is the responsibility of an institution’s board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process .
- Information Security – Information security is a significant business risk that demand engagement of the Board of Directors and senior business management.
- Operations – Senior management and the board of directors are responsible for ensuring IT operates in a safe, sound, and efficient manner throughout the institution.
- Outsourcing – The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management.
In fact, management is so important that the ability of management to identify, measure, monitor, and control the risks of its operations is also taken into account when assigning each of the other CAMELS component ratings as well:
- Capital Adequacy
- … The ability of management to address emerging needs for additional capital.
- Asset Quality
- …The ability of management to properly administer its assets…
- …The ability (of management) to provide for adequate capital through retained earnings…
- … The capability of management to properly identify, measure, monitor, and control the institution’s liquidity position…
- Sensitivity to Market Risk
- …The ability of management to identify, measure, monitor, and control exposure to market risk…
The Management component of the CAMELS rating reflects the governance capability of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of an institution’s activities and to ensure a financial institution’s safe, sound, and efficient operation in compliance with applicable laws and regulations. All things considered, it follows logically that management is generally regarded as the most important element for a successful operation of a financial institution.
So, given its overwhelming importance to the safety and soundness of the institution, let’s take a closer look at the “M”, and what it takes to demonstrate compliance.
These are the elements that make up the CAMELS management component rating:
- The ability of the board of directors and management, in their respective roles, to plan for, and respond to, risks that may arise from changing business conditions or the initiation of new activities or products.
- The adequacy of, and conformance with, appropriate internal policies and controls addressing the operations and risks of significant activities.
- The accuracy, timeliness, and effectiveness of management information and risk monitoring systems appropriate for the institution’s size, complexity, and risk profile.
- The adequacy of audits and internal controls to: promote effective operations and reliable financial and regulatory reporting; safeguard assets; and ensure compliance with laws, regulations, and internal policies.
- Compliance with laws and regulations.
- Responsiveness to recommendations from auditors and supervisory authorities.
- Management depth and succession.
- The extent that the board of directors and management is affected by, or susceptible to, dominant influence or concentration of authority.
- Reasonableness of compensation policies and avoidance of self-dealing.
How can management demonstrate sufficient progress in these areas? Two words; delegation and documentation. Delegate the day-to day responsibilities to committees consisting of both employees and (when necessary to add expertise) external consultants. Clearly define the scope and mission of each committee, and always document every meeting. This may seem daunting, but in a smaller institution, the technology steering committee (or equivalent) can serve multiple functions, addressing IT strategic planning, information security, and regulatory compliance (items 1-8 above). Chances are this committee already exists; all that’s necessary is to expand the agenda a bit to include discussion of the items listed above. Larger organizations may want to keep IT related items in tech steering, but address the compliance items (2, 4, 5, and 6) in a separate compliance or audit committee. Further segmentation may separate strategic planning items (1, 7, 8 and 9) into their own group.
The issue of management will continue to be at the forefront of regulatory safety and soundness scrutiny, and given the on-going challenges in the industry, will only increase in importance going forward.
Note: The Safe Systems QSR/ASR/Account Manager process, which is included in every NetComply contract, is designed to align with the regulatory best practice of the “control self-assessment (CSA)” when presented and documented in an appropriate committee setting. This CSA (with the account manager as the facilitator) goes significantly beyond the standard “check-list” compliance response to information security and, when combined with the other agenda items, effectively addresses elements 1-8 of the CAMELS management component.
 Department of the Treasury, Federal Deposit Insurance Corporation – Evaluation of Federal Regulatory Oversight of Washington Mutual Bank, April 2010
 Office of Inspector General, The FDIC’s Role in the Monitoring of Indy Mac Bank, August 2009
 Audit Booklet – August 2003, page 3
 Business Continuity Planning Booklet – March 2008, page 3
 Information Security Booklet – July 2006, page 5
 Operations Booklet – June 2004, page 3
 Outsourcing Technology Services Booklet – June 2004, page 3
 FDIC, UNIFORM FINANCIAL INSTITUTIONS RATING SYSTEM, source; 62 Fed. Reg. 752, January 6, 1997, effective January 1, 1997
 See your account manager for our most current version.
See your account manager for our most current version.